mrlachatte: (Default)
Well, I'm back.  For today, at least.  And the topic of today's post?  Usability!  Hooray!

As of December 3rd, I am now a fully responsible, contributing member of society, also known as an adult.  With great responsibility comes great power, therefore it is with (great) pleasure that I am able to announce that I can now bank online.  Yes, the powers that be (also known as The Man) have determined that I am now in possession of some required intellectual capability and must no longer make the trudge down the street to my local TD branch in order to determine the state of my material possessions.  There are not words to describe the intense joy I am experience inside.

However, this is simply the prelude.  Today's topic stems from the newly created Canadian Tire Financial Services.  The chain that previously wanted most of your money now wants all your money.  Well, at least it's Canadian!  Full speed ahead!  What's that?  Until December 31st, normal 4% interest is actually 5.5% interest?  Where can I sign?

That was the idea, at least.  Having now created an account, I am feeling significantly less comfortable with the arrangement.  Here's the deal: after Canadian Tire approves your account creation and the initial deposit, you have to phone them up to receive a temporary password for web banking.  That sounds perfectly reasonable to me.  When I asked to speak to a customer service representative, I had to verify my identity by reciting the usual personal information - name, address, postal code.

'That's good,' I thought to myself.  'I'm glad they're concerned about these sorts of things.'

However, once I let the representative know that I wished to obtain a temporary password, suddenly we went on a trip to Bizarro-land.  I was informed that my identity had to be verified via three random questions from a third-party... identity provider?  I was never quite sure exactly what this third party's role was.  The three questions were similar to these:

  1. What is your home phone number? (Ho-hum, pretty basic)
  2. Which of following is the address of the National Banking branch that you bank with: 123 Dufferin Street, 457 Sunshine Ave, or none of the above? (Hold up, I don't bank with NB.  What gives here?)
  3. Which of the following is the address of a cooperative that you have lived in during the past 10 years: 24 Park Lane, 714 Reno Street, or none of the above? (Wait what?  I've never lived in a cooperative.)
When confronted with question two I paused, for quite some time.  This is the first time I can remember being asked a question which is inherently wrong in order to prove my identity.  There's something very counter-intuitive about the whole situation.  After probably 30 seconds of silence, the representative asked me, "Do you bank with National Bank?" to which I replied, "No, I don't."  Replied she: "Then the answer would be none of the above, right?"  Uncertaintly, I said, "Yes, I suppose?"  She promptly moved on to the next question, which is based on the exact same premise.  This second time I chose the last answer with more confidence, but it's still quite... disconcerting, I suppose.

So, with that formality out of the way, and my identity confirmed twice (double the security!), the representative was now authorized to give me my temporary password.  After warning me that it would expire in two hours, she then proceeded to inform me that the password I changed it to would have to be between 6 and 8 characters long.

"And that's numbers only," she continued.  "We don't accept letters in your password."

Ding ding ding ding.  Warning bells.  Not very loud ones, but bells nonetheless.  What kind of system restricts you to numbers, but requires the same length as a normal passphrase?  Note the irony in calling it a password, but not accepting anything to constitute a word.

I dutifully finished the conversation and went to, and promptly noted another alarming feature.  Underneath the login box is a checkbox labelled "Using a shared computer."  This checkbox defaults to off.  This is the opposite behaviour of the majority of other financialinternet institutions.  If you could be remembering sensitive data, you should make sure the user specifically instructs you to remember it, not the other way round.  Ding ding ding ding ding.

So, I logged in and was presented with the required password change (after being instructed to input my current password in order to agree to the terms of service.  What?)  And the representative was right, they only accept 6-8 numbers.  And the explicitly state that you should avoid anything like phone numbers, birthdays, sequences, and other similarly easily-deduced strings of numbers.  However, that's not leaving me much to go by, is it?  How many other password-length numbers that are "unique and easily memorizable" can you think up?  That's what I thought.

So that's it.  I can't fathom the thought process behind these decisions.  On one hand, limiting a password to numbers would seem to provide additional security by removing the ability to choose easily-guessed words ("password1", anybody?)  However, it seems to me that people would be far more likely to choose a phone number or birthdate simply because the alternative is a meaningless string of digits.  And if customers can't remember their passwords, I would assume that they could call up the service representative in order to be issued a temporary one.  But if all this requires is validating your identity by what you're not, that doesn't seem like a completely secure system.  I'm going to be contacting CTFS with my concerns later tonight, but I wanted to put my thoughts down coherently first.

Am I right to be this wary?  Do you get the same alarm bells in your heads?  Internet, talk to me.


Jul. 28th, 2005 03:07 am
mrlachatte: (Default)
There's a new beta of Greasemonkey 4.1 out on the mailing list, it has almost perfect backwards compatibility right now, and it's fixed every one of the security issues brought up.  It's also much harder to detect and stop, and the only security "issue" now is that a website can get the source of your script.  What that translates to is don't leave passwords sitting in your scripts!

EDIT: A message on the ml just after posting this notes that the 0.4.1 attachment is not a beta, but a cutting-edge development version, akin to a nightly Firefox (Deer Park?) build. Still, get it, report bugs. Enhance the web.

December 2007

23242526 272829


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 25th, 2017 09:56 am
Powered by Dreamwidth Studios